b'NRC: OIG-00-A-02 - NRC\'s Efforts to Protect its Critical Infrastructure: Presidential Decision Directive 63\nSkip to Main Page Content\nSkip to Search\nSkip to Site Map Navigation\nSkip to Footer Links\nHome\nFAQ\nGlossary\nFacility Locator\nWhat\'s New\nSite Help\nIndex A-Z\nContact Us\nBrowse Aloud\nEmail Updates\nSearch NRC\nReport a Safety Concern\nNuclear Reactors\nPower Reactors\nResearch & Test Reactors\nOperating\xc2\xa0Reactors\nOperator\xc2\xa0Licensing\nNew Reactors\nAdvanced Reactors\nOperator Licensing for New Reactors\nNuclear Reactor Quick Links\nNuclear Materials\nSpecial\xc2\xa0Nuclear\xc2\xa0Material\nSource\xc2\xa0Material\nByproduct\xc2\xa0Material\nMed,\xc2\xa0Ind, & Academic Uses\nSource\xc2\xa0Materials\xc2\xa0Facilities\nUranium\xc2\xa0Recovery\nFuel\xc2\xa0Cycle\xc2\xa0Facilities\nMaterials Transportation\nNuclear Materials Quick Links\nRadioactive Waste\nDecommissioning of Nuclear Facilities\nLow-Level\xc2\xa0Waste\nWaste Incidental to Reprocessing\nHigh-Level\xc2\xa0Waste\nUranium\xc2\xa0Mill\xc2\xa0Tailings\nLow-Level\xc2\xa0Waste\xc2\xa0Disposal\nHigh-Level\xc2\xa0Waste\xc2\xa0Disposal\nStorage of Spent Nuclear Fuel\nTransporation of Spent Nuclear Fuel\nRadioactive Waste Quick Links\nNuclear Security\nDomestic\xc2\xa0Safeguards\nInformation\xc2\xa0Security\nRadioactive\xc2\xa0Material Security\nContact Us\nPublic Meetings & Involvement\nThe NRC Approach to Open\xc2\xa0Government\nAbout\xc2\xa0Meetings\xc2\xa0Open\xc2\xa0to the Public\nConferences\xc2\xa0&\xc2\xa0Symposia\nDocuments\xc2\xa0for\xc2\xa0Comment\nFacilitating\xc2\xa0Stakeholder\xc2\xa0Involvement\nNRC\xc2\xa0Information\xc2\xa0Quality\xc2\xa0Guidelines\nSubscribe to E-mail Updates\nCommission Schedule\nPublic\xc2\xa0Meeting\xc2\xa0Schedule\nAdjudications (Hearings)\nNRC Library\nBasic References\nDocument Collections\nADAMS Public Documents\nPublic Document Room\nGet Copies of Documents\nFOIA & Privacy Act Requests\nPhotos & Video\nRecords Management\nWithholding of Sensitive Information\nFAQ Index\nElectronic\xc2\xa0Hearing\xc2\xa0Docket\nAbout NRC\nThe Commission\nOrganization & Functions\nGoverning Legislation\nPlans,\xc2\xa0Budget,\xc2\xa0&\xc2\xa0Performance\nLocations\nHistory\nValues\nDirection-Setting & Policymaking\nRadiation Protection\nFire Protection\nSafety Culture\nHow We Regulate\nEmergency Preparedness & Response\nPublic Affairs\nCongressional Affairs\nInternational Programs\nState & Tribal Programs\nAlternative Dispute Resolution Programs\nCivil Rights\nContact Us\nCareer Opportunities\nContracting Opportunities\nGrant Opportunities\nPrint\nHome > NRC Library  > Document Collections > Inspector General\nReports > 2000 >  OIG-00A-02\nOIG-00-A-02 - NRC\'s Efforts to Protect its Critical Infrastructure: Presidential Decision Directive 63\n[PDF\nVersion (68KB) ]\nExecutive Summary\nPurpose\nBackground\nResults in Brief\nRecommendations\nIntroduction\nBackground\nResults of Review\nFurther Effort Is Needed to Complete Critical Infrastructure Planning\nConclusions\nRecommendations\nOIG Comments on The Agency\'s Response\nObjectives, Scope, And Methodology\nPhase I and Phase II Agencies\nAbbreviations and Acronyms\nAgency Response to Draft Report\nStaff Comments on Revised Draft Oig Audit Report on Presidential Decision Directive 63 (Pdd-63)\nMajor  Contributors to this Report\nMEMORANDUM TO:\nWilliam D. Travers\nExecutive Director for Operations\nStuart Reiter\nActing Chief Information Officer\nFROM:\nStephen D. Dingbaum /RA/\nAssistant Inspector General for Audits\nSUBJECT:\nREVIEW OF NRC\'S EFFORTS TO PROTECT ITS CRITICAL INFRASTRUCTURE: PRESIDENTIAL\nDECISION DIRECTIVE 63\nAttached is the Office of the Inspector General\'s audit report titled, NRC\'s Efforts to Protect its Critical Infrastructure: Presidential Decision Directive 63 (PDD 63). The report incorporates comments provided by your offices, as appropriate, within the body of the report and includes them in their entirety in Appendix IV.\nPDD 63 requires NRC and other agencies to develop a plan to eliminate any significant vulnerability to both physical and cyber attacks on their critical infrastructures.  Critical infrastructures are those physical and cyber-based systems essential to the minimum operations of the economy and government.  While NRC has made good progress toward meeting the goals of PDD 63, the Agency will need to more carefully examine the full scope of the Directive\'s requirements to complete its planning and assessment efforts.  Additional senior management support will also help to ensure that the Agency\'s effort to protect the nation\'s critical infrastructure is efficiently and effectively planned and implemented.  This report makes four recommendations to improve the Agency\'s efforts.\nIn accordance with the attached resolution procedures, please provide your\nresponse to the report and information on actions taken or planned on each of\nthe recommendations directed to your office within 30 days of the date of this\nmemorandum. Actions taken or planned are subject to OIG follow up and reporting\nin accordance with the agreed upon resolution procedures.If you have any questions,\nplease call me at 415-5915.\nAttachment:  As Stated\ncc:\nR. McOsker, OCM/RAM\nB. Torres, ACMUI\nB. Garrick, ACNW\nD. Powers, ACRS\nJ. Larkins, ACRS/ACNW\nP. Bollwerk III, ASLBP\nK. Cyr, GC\nJ. Cordes, Acting OCAA\nJ. Funches, CFO\nP. Rabideau, Deputy CFO\nJ. Dunn Lee, OIP\nD. Rathbun, OCA\nW. Beecher, OPA\nA. Vietti-Cook, SECY\nF. Miraglia, DEDR/OEDO\nC. Paperiello, DEDMRS/OEDO\nP. Norry, DEDM/OEDO\nJ. Craig, AO/OEDO\nM. Springer, ADM\nR. Borchardt, OE\nG. Caputo, OI\nP. Bird, HR\nI. Little, SBCR\nW. Kane, NMSS\nS. Collins, NRR\nA. Thadani, RES\nP. Lohaus, OSP\nF. Congel, IRO\nH. Miller, RI\nL. Reyes, RII\nJ. Dyer, RIII\nE. Merschoff, RIV\nOPA-RI\nOPA-RII\nOPA-RIII\nOPA-RIV\nExecutive Summary\nPurpose\nIn May 1998, President Clinton issued The Clinton Administration\'s Policy on\nCritical Infrastructure Protection: Presidential Decision Directive 63 (PDD\n63) to initiate a national effort to ensure the security of the nation\'s critical\ninfrastructures. Because of the importance of this effort, the Office of the\nInspector General initiated a review of the Nuclear Regulatory Commission\'s\n(NRC) efforts to meet the requirements of the Directive. Our review was conducted\nin conjunction with a national review being performed under the President\'s\nCouncil on Integrity and Efficiency, and the Executive Council on Integrity\nand Efficiency. This report reflects the results of the first phase of the review,\naddressing planning and assessment for cyber-based infrastructures.\nBackground\nPDD 63 requires NRC and other agencies to develop a plan to eliminate any significant\nvulnerability to both physical and cyber attacks on their critical infrastructures.\nCritical infrastructures are those physical and cyber-based systems essential\nto the minimum operations of the economy and government.\nResults in Brief\nWhile NRC has made good progress toward meeting the goals of PDD 63, the Agency\nwill need to more carefully examine the full scope of the Directive\'s requirements\nto complete its planning and assessment efforts. Additional senior management\nsupport will also help to ensure that the Agency\'s effort to protect the nation\'s\ncritical infrastructure is efficiently and effectively planned and implemented.\nRecommendations\nThis report makes four recommendations to improve the Agency\'s efforts.\nIntroduction\nIn May 1998, President Clinton issued The Clinton Administration\'s Policy on Critical Infrastructure Protection: Presidential Decision Directive 63 (PDD 63) to initiate a national effort to ensure the security of the nation\'s critical infrastructures.(1)  This Directive requires the Nuclear Regulatory Commission (NRC) and other agencies to develop a plan to eliminate any significant vulnerability to both physical and cyber attacks on their critical infrastructures.  Because of the importance of this effort, the Office of the Inspector General initiated a review of NRC\'s efforts to meet the requirements of the Directive.\nIn addition, in late 1999, the President\'s Council on Integrity and Efficiency\n(PCIE)(2) and the Executive Council on Integrity\nand Efficiency (ECIE)(3) initiated a national\neffort to review the adequacy of the overall Federal Government effort. PCIE\nand ECIE proposed that the review be completed in four phases. The first phase,\naddressing planning and assessment for cyber-based infrastructures, began in\nJanuary 2000. This review was conducted in conjunction with the PCIE/ECIE national\neffort. Appendix I contains information about our objectives, scope, and methodology.\nBackground\nThe Clinton Administration\'s policy calls for a national effort to ensure the security of the nation\'s critical infrastructures - also known as mission essential infrastructure. Critical infrastructures are those physical and cyber-based systems essential to the minimum operations of the economy and government.  Critical infrastructures include, but are not limited to, telecommunications, banking and finance, energy, transportation, and other essential government services.  NRC, in the national picture, falls under the energy sector for PDD 63, but, as a Phase II agency, has no sector responsibility itself.  NRC supports the Department of Energy (DOE) which has lead responsibility in the energy sector.\nOf recent concern are advances in information technology that have caused many infrastructures to become increasingly automated and inter-linked, and have created new vulnerabilities to equipment failures, human error, weather, and physical and cyber attacks.(4) Attacks on both physical and cyber infrastructure may be capable of significantly harming our economic and military power.\nThe President intends that the United States take all necessary measures to eliminate significant vulnerabilities to both physical and cyber attacks on our nation\'s critical infrastructures focusing especially on cyber-systems.  By May 22, 2003, the United States is expected to have achieved and should be able to maintain the ability to protect its critical infrastructures from intentional acts that would significantly diminish the abilities of:\nThe Federal government to perform essential national security missions\nand to ensure the general public health and safety;\nState and local governments to maintain order and to deliver minimum essential\npublic services; and\nThe private sector to ensure the orderly functioning of the economy and\nthe delivery of essential telecommunications, energy, financial and transportation\nservices.\nPDD 63 designates 12 "Phase I" lead agencies with major sector or Federal government-specific responsibilities.   Phase I agencies are to encourage and support their counterparts in industry and state and local governments to develop and incorporate their own plans into the National Infrastructure Assurance Plan. This Plan includes awareness, vulnerability assessment, and information sharing initiatives.  In addition, lead agencies have been designated for functions that must be chiefly performed by the Federal government (national defense, foreign affairs, intelligence, law enforcement, and research and development).   Other agencies subject to PDD 63 are responsible for protecting their own assets but are not "lead agencies" for external national sectors.  The eight agencies comprising the latter group are called Phase II agencies and include NRC.   Appendix II provides a listing of Phase I and II agencies.   Under PDD 63, the Chief Information Officer of each Phase I and Phase II agency is responsible for information assurance  and a Chief Infrastructure Assurance Officer (CIAO) is responsible for the protection of all of the other aspects of the agency\'s critical infrastructure.   NRC appointed the Director of the Incident Response Operations office as its CIAO.\nFor each agency involved, a major component of PDD 63 requirements is the development and implementation of a critical infrastructure protection plan (CIPP).   NRC submitted the first version of its CIPP(5)  to the national Critical Infrastructure Assurance Office in February 1999 and a revised version, based on comments from an external Expert Review Team, in May 1999.\nResults of Review\nWhile NRC has made good progress in its effort to meet PDD 63 requirements\nfor the protection of its critical infrastructure, additional senior management\nattention is needed. This support will help to ensure that the Agency\'s effort\nto protect its own critical infrastructure and to support DOE efforts in the\nenergy sector is successful. Because NRC\'s review started with Year 2000 (Y2K)\nwork, the Agency has not conducted a review sufficiently comprehensive to fully\nconsider the range of potential critical infrastructure systems and assets which\nshould be addressed in its CIPP. In addition, the Agency needs to define the\nresponsibilities and authority of its CIAO.\nFurther Effort Is Needed to Complete Critical Infrastructure Planning\nNRC began identifying its critical infrastructure by using the results of Y2K efforts.  In performing Y2K work, NRC developed an inventory of systems that included a ranking based on the criticality of the system to Agency operations.  Seven systems were identified as mission-critical or the highest risk systems. From those, NRC narrowed the number to a single system,  located in the office of Incident Response Operations (IRO),(6) which it deemed to fit the criteria for critical infrastructure.  However, the implications of critical infrastructure extend beyond the general scope of Y2K evaluation to potentially include systems containing classified information, systems that involve interdependencies with other entities, and systems that relate to activities connected with national security (see footnote (1) for the definition of critical infrastructure).  However, NRC did not consider the potential for these other types of critical infrastructure issues in starting with its Y2K inventory.  For example:\nExecutive Order 12656(7) requires NRC to:\n(1) recapture or authorize the recapture of special nuclear material (SNM)(8)\nfrom licensees where necessary to assure the use, preservation, or safeguarding\nof such materials for the common defense and security, as determined by\nthe Commission or as requested by the Secretary of Energy, and (2)\xc2\xa0provide\nadvice and technical assistance to Federal, State, and local officials and\nprivate sector organizations regarding radiation hazards and protective\nactions in national security emergencies. Information about SNM is maintained\nby DOE in a system located at Oak Ridge, Tennessee. NRC licensees submit\ninformation about their SNM holdings to this database. In addition, NRC\nmay need access to information relating to the provision of advice and technical\nassistance to other entities as described above. However, the CIPP does\nnot address these issues.\nThe National Security Telecommunications and Information Systems Security\nCommittee (NSTISSC)(9) states that national\nsecurity systems include systems that process classified information. NRC\nmaintains classified information on restricted-use laptops and on a few\npersonal computers (these PCs are not connected to NRC\'s network but have\nsecured external links). This information, and the systems and assets it\nresides on, are not addressed as critical infrastructure in the CIPP.\nExecutive Order 12472(10) provides NRC\n(and all Federal departments and agencies) with responsibilities for national\nsecurity and emergency preparedness telecommunications functions. These\nresponsibilities must be carried out in conjunction with the Federal Emergency\nManagement Agency (FEMA) and others. In addition, communication with FEMA\nis part of NRC\'s emergency response procedures related to licensee events.\nWhile communication with FEMA is discussed in the CIPP, it is not addressed\nin the CIPP as critical infrastructure.\nNRC\'s CIPP makes good progress in addressing the Agency\'s activities in preparing for PDD 63 requirements.  However, the above examples indicate that the Agency needs to reexamine its approach to ensure that it includes all critical infrastructure systems and assets that should be addressed in its CIPP.\nIn addition, while staff submitted a paper to the Commission describing the implications of PDD 63 in a general sense, staff has not provided the Commission with NRC\'s own plan, the CIPP, for addressing the Directive\'s requirements.  Staff did submit a paper to the Commission containing its plan to address a similar PDD.(11)  This provided senior management attention crucial to that work.  Similar attention is warranted in a significant national effort such as that under PDD 63 to ensure that the Directive is adequately addressed.\nNRC\'s Office of the Chief Information Officer prepared the Agency\'s CIPP, which  focuses on internal systems.  However, NRC must also consider the implications of such efforts with regard to its licensees.  To that end, Agency personnel met with DOE officials to discuss NRC\'s role in supporting DOE\'s work as the lead agency for the Energy Sector.\nStemming from its own initiative and from the discussions with DOE, NRC\'s Office of Nuclear Materials Safety and Safeguards began work on a second plan, separate from the CIPP, to cover PDD 63 requirements and other related activities with its licensees.  As a result, the Agency has two separate efforts underway: (1) internal -- reflected in the CIPP, and (2) external -- titled NRC Action Plan in Response to PDD 63.  At the time of our review, the NRC Action Plan was in draft and the Agency did not plan to integrate the Action Plan with the CIPP.  To maintain a consistent approach to PDD 63 and to ensure the Directive is fully addressed, NRC should integrate those portions of the Action Plan related to PDD 63, at least by reference, into the CIPP.\nFinally, PDD 63 states that the CIAO is responsible for the protection of all aspects of the Agency\'s critical infrastructure other than information assurance, a CIO responsibility.  However, NRC has not yet formally defined the authority and responsibilities of its CIAO.  To ensure that the CIAO can function effectively in ensuring the Agency carries out its responsibilities under the Directive, NRC should provide a formal definition of the CIAO\'s authority and responsibilities.\nConclusions\nWhile NRC has made good progress toward meeting the goals of PDD 63, the Agency still needs to more fully examine the scope of the Directive\'s requirements and incorporate PDD 63-related efforts in the Action Plan in the CIPP.  Also, the support and concurrence of the Commission will help to ensure that the Agency\'s effort to protect the nation\'s critical infrastructure is efficiently and effectively planned and implemented.  Finally, the Agency needs to formally establish the responsibilities and authority of the CIAO to ensure the effective functioning of that important position.\nRecommendations\nTo ensure that NRC fully addresses the requirements of PDD 63, we recommend\nthat the Executive Director for Operations and the Chief Information Officer:\nIdentify all elements of NRC\'s critical infrastructure to ensure that the\nfull scope of the Directive is addressed.\nIncorporate the PDD 63-relevant portions of the Action Plan, at least by\nreference, into the CIPP.\nProvide a time line for the Commission to receive and approve the CIPP.\nWe also recommend that the Executive Director for Operations:\nDevelop a formal description of the responsibilities and authority of the\nCIAO.\nOIG Comments on The Agency\'s Response\nOn September 21, 2000, the Executive Director for Operations and the Acting Chief Information Officer responded to our draft report and agreed with our recommendations.  In addition, they provided editorial comments on the report.  Based on those comments, we made changes to the report where appropriate.  Their response is included as Appendix IV.\nObjectives, Scope, And Methodology\nThe objective of our review was to assess the adequacy of the Nuclear Regulatory\nCommission\'s (NRC) efforts to address the requirements of Presidential Decision\nDirective 63. The overall review was proposed to consist of four phases.\nPhases I and II relate to critical cyber-based infrastructures and Phases III\nand IV relate to critical physical infrastructures. This report contains results\nfor Phase I only. In Phase I we reviewed the adequacy of agency planning and\nassessment activities for protecting their critical, cyber-based infrastructures.\nSpecifically, we reviewed the adequacy of agency plans, asset identification\nefforts, and initial vulnerability assessments. The objectives for Phase I of\nthe audit were to:\nIdentify past and present issues related to NRC\'s critical infrastructure,\nand the criteria and management roles and responsibilities related to its\nprogram.\nDetermine whether NRC has developed an effective plan for protecting its\ncritical cyber-based infrastructures.\nDetermine whether NRC has identified its cyber-based critical infrastructure\nand interdependencies.(12)\nDetermine whether NRC has adequately identified the threats, vulnerabilities,\nand potential magnitude of harm to its cyber-based critical infrastructure\nthat may result from the loss, alteration, unavailability, misuse, or unauthorized\naccess to or modification of its critical cyber-based infrastructure investments.\nOur review was based on guidance developed by a President\'s Council on Integrity and Efficiency and the Executive Council on Integrity and Efficiency working group in conjunction with the many Offices of the Inspector General which are participating.  To accomplish our objectives,  we reviewed NRC\'s critical infrastructure protection plan and the planning and assessment that led to NRC\'s identification of critical infrastructure.   We interviewed cognizant NRC officials in the Offices of the Chief Information Officer, Nuclear Materials Safety and Safeguards, and  Incident Response Operations.  We also met with officials from other Offices of the Inspector General.  In addition, we reviewed related guidance and criteria developed by the national Critical Infrastructure Assurance Office, the General Accounting Office, and others.\nWe evaluated the management controls related to NRC\'s critical infrastructure program and conducted our audit from January 2000 through June 2000 in accordance with generally accepted Government auditing standards.\nPhase I and Phase II Agencies\nPhase I Lead Agency\nCritical Infrastructure Sector\nCommerce\nInformation and communications\nTreasury\nBanking and finance\nEnvironmental Protection Agency\nWater supply\nTransportation\nAviation, Highways, Mass transit, Pipelines, Rail, Waterborne commerce\nJustice/FBI\nEmergency law enforcement services\nFederal Emergency Management Agency\nEmergency fire service, Continuity of government services\nHealth and Human Services\nPublic health services\nEnergy\nElectric power, Oil and gas production and storage\nPhase I Lead Agencies for Special Functions\nSpecial Function Area\nJustice/FBI\nLaw enforcement and internal security\nCentral Intelligence Agency\nForeign intelligence\nState\nForeign affairs\nDefense\nNational defense\nOffice of Science and Technology Policy\nResearch and development\nPhase II Agencies (no sector\nresponsibility)\nAgriculture\nGeneral Services Administration\nEducation\nLabor\nHousing and Urban Development\nNational Aeronautics and Space Administration\nInterior\nNuclear Regulatory Commission\nAbbreviations and Acronyms\nCIAO\nChief Infrastructure Assurance Officer\nCIPP\nCritical Infrastructure Protection Plan\nDOE\nDepartment of Energy\nECIE\nExecutive Council on Integrity and Efficiency\nFEMA\nFederal Emergency Management Agency\nIRO\nIncident Response Operations\nNRC\nU.S. Nuclear Regulatory Commission\nNSTISSC\nNational Security Telecommunications and Information Systems Security\nCommittee\nPCIE\nPresident\'s Council on Integrity and Efficiency\nPDD\nPresidential Decision Directive\nSNM\nSpecial Nuclear Material\nY2K\nYear 2000\nAgency Response to Draft Report\nSeptember 21, 2000\nMEMORANDUM TO:\nStephen D. Dingbaum\nAssistant Inspector General for Audits\nOffice of the Inspector General\nFROM:\nWilliam D. Travers /RA Frank J. Miraglia Acting For/\nExecutive Director for Operations\nStuart Reiter /RA/\nActing Chief Information Officer\nSUBJECT:\nDRAFT AUDIT REPORT - NRC\'S EFFORTS TO PROTECT INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE: PRESIDENTIAL DECISION DIRECTIVE 63\nThis memorandum responds to your draft audit report dated September 15, 2000, regarding the NRC\'s efforts to protect its critical infrastructure pursuant to Presidential Decision Directive 63 (PDD-63).  As discussed in the report and in PDD-63, there are 12 "Phase I" agencies, with sector or Federal government-specific responsibilities.  NRC is a "Phase II" agency with no sector responsibility other than to support the sector lead (DOE).\nUpon receiving the report, we convened a core group of staff to review the report and its recommendations on the PDD-63 initiative.  This core group consisted of the staff involved in developing the NRC Critical Infrastructure Protection Plan (CIPP) as well as the staff who have been working to support DOE with their responsibility for the Energy sector under the PDD-63 initiative.\nWe appreciate the opportunity to have met with your staff to discuss this report after our initial review.  Based on that meeting and our review of the revised draft report, the attached comments reflect factual clarification and editorial recommendations.  With these clarifications, we agree with the report\'s conclusion and recommendations.  We also note that the report acknowledges the progress that the staff has made to meet the goals of PDD-63.\nIn addition to our response, we see no reason that the report should not be publicly released.\nIf you have any further questions or concerns about this matter, please contact Debra Corley at 415-1728.\nAttachment:\nAs stated\nStaff Comments on Revised Draft Oig Audit Report on\nPresidential Decision Directive 63 (Pdd-63)\nPage 1, Recommendations section: change "three" recommendations to "four"\nPage 4, Background section, 1st paragraph, last sentence ("NRC\'s\nrole at the national level falls in the energy sector.):\nRecommend deleting this sentence (this paragraph and the following two paragraphs\ndiscuss critical infrastructure background. Agency roles and responsibilities,\nincluding NRC\'s, are discussed on page 5). If not deleted, propose revising\nas follows: "NRC falls under the Energy sector for PDD-63, but as a Phase\nII agency, has no sector responsibility.\nPage 6, Results of Review section, 1st sentence:\nDelete the word "protect" and add the words "support DOE in protecting"\n("....to help ensure that the Agency\'s efforts to protect\nsupport DOE in protecting the nation\'s critical infrastructure......")\nPage 6, Results of Review section, 2nd sentence:\nRecommend revising this sentence as follows: Although NRC\'s review In\nparticular, because it started with Year 2000 (Y2K) work, it does\nnot appear that the Agency has not completed a comprehensive\nreview to fully considered the range of potential critical\ninfrastructure systems........"\nPage 7, Further Effort is Needed to Complete Critical Infrastructure Planning\nsection, last sentence:\nRecommend revising this sentence as follows: "However, it did not appear\nthat NRC did not considered the potential for ......"\nPage 9, 1st paragraph after bullet, 2nd sentence:\nRecommend revising this sentence as follows: "However, the above examples\nindicate that the Agency needs to take a more comprehensive\nreexamine its approach to ensure......."\nPage 10, 1st full paragraph:\nRecommend deleting this paragraph ("NRC\'s Office of the Chief Information\nOfficer prepared the Agency\'s CIPP......."). NRC, as a Phase II agency under\nPDD-63, has no Energy sector responsibility. NRC, on its own initiative, however,\nplans to provide support to DOE as the lead agency for the Energy sector.\nPage 10, 2nd paragraph, 3rd sentence:\nRecommend revising this sentence as follows: "At the time of our review,\nthe NRC Action Plan in Response to PDD-63 was a draft plan, and at that point\nin time the Agency did not plan to integrate the Action Plan with the CIPP."\nPage 12, Recommendation 2:\nRecommend revising the recommendation to be consistent with the text in the\nreport (page 10) as follows: "Incorporate the PDD-63 relevant portions of\nthe Action Plan, at least by reference, into the CIPP.\nAUDITORS NOTE: Pages identified in the staff comments referring\nto the draft report are now found in the final report as follows:\nPage 1 remains Page 1.\nPage 4 is now Page 3.\nPage 6 is now Page 5.\nPage 6 is now Page 5.\nPage 7 is now Page 5.\nPage 9 is now Page 7, 1st paragraph, 2nd sentence.\nPage 10 is now Page 7, 3rd paragraph.\nPage 10 is now Page 7, 4th paragraph, 3rd sentence.\nPage 12 is now Page 8.\nMajor Contributors to this Report\nWilliam McDowell\nTeam Leader\nRobert Moody\nAudit Manager\n1.  The national Critical Infrastructure Assurance Office has defined agency critical infrastructure or mission-essential infrastructure as "the framework of critical organizations, personnel, systems, and facilities that are absolutely required in order to provide the inputs and outputs necessary to support the core processes essential to accomplishing an organization\'s core mission as they relate to national security, national economic security or continuity of government services." The Atomic Energy Act of 1954, as amended, and the Energy Reorganization Act of 1974, as amended, established NRC\'s regulatory mission to: (1) regulate the Nation\'s civilian use of byproduct, source, and special nuclear materials (2) ensure adequate protection of the public health and safety, (3) promote the common defense and security, and (4) to protect the environment.\n2. Established by executive order, PCIE is comprised of all Presidentially appointed Inspectors General.  PCIE is charged with conducting interagency and inter-entity audit, inspection and investigation projects to effectively and efficiently deal with government-wide issues of fraud, waste and abuse.\n3. The ECIE is comprised mainly of the designated Inspectors General.  An ECIE member serves as a Council representative on each of the PCIE Committees.\n4. As used here, cyber attacks, or cyber terror, may be defined as the unauthorized electronic access, manipulation or destruction of electronic data or code that is being processed, stored or transmitted on electronic media, having the effect of actual or potential harm to the nation\'s critical infrastructure. 5. The Plan is fully titled United States Nuclear Regulatory Commission (NRC) Critical Infrastructure Protection Plan in Response to Presidential Decision Directive 63 (PDD-63), Version 1.0, January 31, 1999.\n6. IRO directs the NRC program for response to incidents, and is the agency incident response interface with the Federal Emergency Management Agency and other Federal agencies. IRO exercises oversight of the regional response programs, manages the NRC Operations Center, and receives, screens, and promptly recommunicates operational event information reported to the Operations Center.\n7. Executive Order 12656 is titled Assignment of Emergency Preparedness Responsibilities, dated November 18, 1988.\n8. SNM is defined in 10 CFR 20.1003 as "(1) Plutonium, uranium-233, uranium enriched in the isotope 233 or in isotope 235, and any other material that the NRC, pursuant to the provisions of section 51 of the AEA [the Atomic Energy Act of 1954], determines to be SNM, but does not include source material; (2) or any material artificially enriched by any of the foregoing but does not include source material." SNM is important in the fabrication of weapons grade materials and as such has strict licensing and handling controls.\n9. NSTISSC sets national policy and promulgates direction, operational procedures, and guidance for the security of national security systems.  NSTISSC is composed of members from 21 U.S. Government executive branch departments and agencies as well as observers from 11 additional departments and agencies.\n10. Executive Order 12472 is titled Assignment of national security and emergency preparedness telecommunications functions, dated April 3, 1984.\n11. Presidential Decision Directive 67, Enduring Constitutional Government and Continuity of Government Operations, dated October 1998.\n12. Interdependence is defined by the National Plan for\nInformation Systems Protection as "Dependence among elements or sites of different\ninfrastructures, and therefore, effects by one infrastructure upon another."\nPage Last Reviewed/Updated Thursday, March 29, 2012\nHome\nNews Releases\nEvent Reports\nADAMS\nOpen Gov\nDigital Government\nStudents & Teachers\nPhotos & Video\nFor Developers\nAbout Us\nStrategic Plan\nBudget & Performance\nPerf & Accountability Rept\nHistory of the NRC\nCareer Opportunities\nNRC Ethics\nAgency Status\nContact Us\nPopular Documents\nInfo Digest\nFactsheets & Brochures\nForms\nElectronic Submittals Application\nNRC Reports \xe2\x80\x93 NUREG\nNRC Regulations \xe2\x80\x93 10-CFR\nInspection Reports\nPlain Writing\nEnforcement Actions\nRULEMAKING\nStay Connected\nBlog\nChat\nTwitter\nYouTube\nFlickr\nGovDelivery\nRSS\nRegulations.gov USA.gov Recovery FOIA No Fear EEO Inspector General  Site Map Accessibility Privacy Policy Site Disclaimer For Employees'